CVE-2021-47375
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/05/2024
Last modified:
02/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
blktrace: Fix uaf in blk_trace access after removing by sysfs<br />
<br />
There is an use-after-free problem triggered by following process:<br />
<br />
P1(sda) P2(sdb)<br />
echo 0 > /sys/block/sdb/trace/enable<br />
blk_trace_remove_queue<br />
synchronize_rcu<br />
blk_trace_free<br />
relay_close<br />
rcu_read_lock<br />
__blk_add_trace<br />
trace_note_tsk<br />
(Iterate running_trace_list)<br />
relay_close_buf<br />
relay_destroy_buf<br />
kfree(buf)<br />
trace_note(sdb&#39;s bt)<br />
relay_reserve<br />
buf->offset /sys/block/sdb/trace/enable &<br />
// Add delay(mdelay/msleep) before kernel enters blk_trace_free()<br />
<br />
ioctl$SG_IO(/dev/sda, SG_IO, ...)<br />
// Enters trace_note_tsk() after blk_trace_free() returned<br />
// Use mdelay in rcu region rather than msleep(which may schedule out)<br />
<br />
Remove blk_trace from running_list before calling blk_trace_free() by<br />
sysfs if blk_trace is at Blktrace_running state.
Impact
Base Score 3.x
6.20
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.30 (including) | 4.4.286 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.5 (including) | 4.9.285 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.249 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.150 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.70 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.14.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.15:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.15:rc2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee
- https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5
- https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9
- https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222
- https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26
- https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40
- https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269
- https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069
- https://git.kernel.org/stable/c/3815fe7371d2411ce164281cef40d9fc7b323dee
- https://git.kernel.org/stable/c/488da313edf3abea7f7733efe011c96b23740ab5
- https://git.kernel.org/stable/c/5afedf670caf30a2b5a52da96eb7eac7dee6a9c9
- https://git.kernel.org/stable/c/677e362ba807f3aafe6f405c07e0b37244da5222
- https://git.kernel.org/stable/c/a5f8e86192612d0183047448d8bbe7918b3f1a26
- https://git.kernel.org/stable/c/d56171d9360c0170c5c5f8f7e2362a2e999eca40
- https://git.kernel.org/stable/c/dacfd5e4d1142bfb3809aab3634a375f6f373269
- https://git.kernel.org/stable/c/ebb8d26d93c3ec3c7576c52a8373a2309423c069